PAN-OS 11.1.6 Known Issues
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
-
-
-
-
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
-
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1
PAN-OS 11.1.6 Known Issues
PAN-OSĀ® 11.1.6 known issues.
The following list includes only outstanding known issues specific to PAN-OSĀ®
11.1.6. This list includes issues specific to Panoramaā¢, GlobalProtectā¢, VM-Series
plugins, and WildFireĀ®, as well as known issues that apply more generally or that are
not identified by an issue ID.
Issue ID
|
Description
|
---|---|
PAN-293673 | When the firewall generates a high volume of logs and attempts to export these logs to an FTP server, it may consume excessive memory leading to all PAN-OS processes crashing. |
PAN-292202
|
The system logs repeatedly displayed the alert `Clearing snmpd.log
due to log overflow` due to the SNMP counters rolling over. This is
a benign message and does not impact device functionality.
|
PAN-290996
This issue is now resolved. See
PAN-OS 11.1.6-h14 Addressed Issues, PAN-OS 11.1.7-h1 Addressed Issues, and PAN-OS 11.1.10-h1 Addressed Issues
|
When performing an SNMP walk, the Connections Per Second (CPS)
counters incorrectly return a value of 0 for each virtual system
(VSYS), despite the firewall actively processing connections.
|
PAN-290088
|
When pushing configurations from Panorama to a firewall, a memory
leak might occur in the firewall's configd process,
particularly when the configurations contain shared policies. Each
configuration push causes the configd process to
consume additional memory that is not released after the commit
completes.
|
PAN-289383
|
(PA-800 series firewalls only) Upgrading firewalls to PAN-OS
11.0 or later causes SFP ports to go non-operational when the
firewall uses forced port mode and the connected peer device
operates without auto-negotiation.
Workaround: Enable auto-negotiation on the connected peer
firewall.
|
PAN-287056
This issue is now resolved. See PAN-OS 11.1.6-h14 Addressed Issues
|
A BGP export policy rule that matches on a next hop fails to block
the advertisement of static routes, and the firewall incorrectly
matches the egress interface IP address instead of the original
next-hop IP address of the static route, which causes the deny rule
to fail.
|
PAN-286897
This issue is now resolved. See PAN-OS 11.1.6-h10 Addressed Issues and PAN-OS 11.1.10 Addressed Issues.
|
The pan_task process might fail when the firewall
attempts to forward files to the WildFire public cloud, which can
cause the dataplane to experience heartbeat failures.
Workaround: Disable the firewall WildFire Analysis
profile.
|
PAN-286848
|
ECMP incorrectly balances sessions across links based on the
configured metric, which leads to an imbalance in traffic
distribution and results in traffic assignment shifting
disproportionately to routes with lower metrics.
|
PAN-286496
|
(NGFW Clusters) URL-continue and override continue
selections will function like a general URL-block action.
|
PAN-286306
This issue is now resolved. See PAN-OS 11.1.6-h14 Addressed Issues
|
When getting transceiver information from ESCC for SFP 25G modules,
the transceiver code incorrectly displays
Unknown instead of
25GBase-SR.
|
PAN-286255
This issue affects PAN-OS 11.1.6-h4
This issue is now resolved. See PAN-OS 11.1.6-h7 Addressed Issues.
|
When a firewall receives an unexpected termination request for
certain SSL sessions , NGFW dataplane might experience a slow buffer
resource leak.
Workaround: Disable accumulation proxy on the NGFW.
|
PAN-286231
|
When performing a partial Commit and Push on Panorama, there
is a risk that unintended configuration changes might be pushed to a
firewall.
This issue is more likely to occur in the following scenarios:
Workaround: Perform one of the following steps:
|
PAN-285894
|
If the Preserve Pre-NAT feature is enabled, dataplane crashes may
occur, which could result in firewall reboots.
Workaround: Disable the Preserve Pre-NAT feature using the
set deviceconfig setting preserve-prenat-feature
no CLI command.
|
PAN-285590
|
VM-Series firewalls deployed behind an AWS GWLB might experience 100%
dataplane CPU utilization when an Anti-Spyware profile is applied to
traffic.
|
PAN-283467
This issue is now resolved. See PAN-OS 11.1.6-h10 Addressed Issues.
|
(PA-3400 Series firewalls only) The firewall might
unexpectedly reboot and enter maintenance mode due to a
ctd-agent out-of-memory (OOM) condition when
undergoing advanced services load testing with a high volume of IoT
EAL log forwarding.
Workaround: Limit the number of EAL logs generated by the
firewall using the following CLI command: debug iot eal
key-value EAL_PENDING_BYTES=1000.
|
PAN-282854
| The Elasticsearch cluster fails to start after
deploying dedicated log collectors in a multi-collector
environment. Workaround: Restart all the involved log
collectors. |
PAN-282236
(PAN-OS 11.1.6-h3 only)
This issue is now resolved. See
PAN-OS 11.1.6-h4 Addressed Issues.
|
The firewall doesn't reassemble IPv6 packets correctly after they are
fragmented. IPv6 SSL sessions may not be established if the client
hello arrives in multiple segments.
|
PAN-281885
|
When exporting and importing the CSV file, the hash values of
pre-shared key (PSK) variables set at template and template stack
levels inconsistently change, resulting in both variables displaying
the same hash value.
|
PAN-280532
This issue is now resolved. See PAN-OS 11.1.10 Addressed Issues.
|
When you use a single syslog server over TCP for log forwarding, and
the connectivity to the syslog server breaks, syslog forwarding does
not resume even after the connectivity to the server restores.
Workaround: Performing one of the following tasks:
|
PAN-280471
|
When applying filters or searching for logs in the PanoramaMonitorLogssection, you might experience slow performance.
|
PAN-279901
|
When decryption is enabled, segmented Client Hello packets can cause
website access issues and memory leaks under the following
conditions:
|
PAN-279746
(PAN-OS 11.1.6-h3 only)
This issue is now resolved. See
PAN-OS 11.1.6-h4 Addressed Issues.
|
An SSL/TLS Client Hello may not be transmitted out of the firewall if
the Client Hello arrives in multiple TCP segments and the traffic is
not subject to SSL decryption (for example, SMTP over SSL).
|
PAN-279621
This issue is now resolved. See PAN-OS 11.1.9 Addressed Issues.
|
Early aging and removal of firewall session while they are still
active can lead to intermittent instabilities and crashes for proxy
traffic, the Content and Threat detection engine, and any data-path
processing.
|
PAN-279604
(PAN-OS 11.1.6-h1 only)
|
The scheduled SaaS application usage reports are incorrectly
generated and only the login page appears instead of the intended
report content.
|
PAN-279415
|
Service routes configured for a data plane interface might
incorrectly route traffic through the management plane interface
instead. This issue impacts Syslog and CRL status traffic when the
service route lacks a specific destination custom service route.
|
PAN-278322
|
VM-Series firewalls deployed behind an AWS GWLB might display an
incorrect or empty Source User field in traffic logs and session
details.
|
PAN-278296
(This issue affects PAN-OS 11.1.6-h6.)
This issue is now resolved. See PAN-OS 11.1.6-h6 Addressed Issues.
|
The system MAC address of the aggregate interface is the same on both
the active and the passive devices, causing some packets to be sent
incorrectly to the passive device. This is causing the AE interface
on the active firewall to not come up.
|
PAN-277417
Thibx
|
Memory leak issues can occur during the parsing of server
certificates used for SSL Inbound Inspection, preventing the
firewall from completing inspection.
|
PAN-277090
|
When you enable Advanced Routing and configure a BGP Authentication
profile, if you configure a Secret that includes any special
characters apart from these seven special characters !@#%^_-, an
error message displays, indicating that The value in
this field is invalid.
Workaround: Don't include any special character apart from the
!@#%^_- characters in the Secret for a BGP Authentication
profile.
|
PAN-276920
|
URL filtering response pages may load slowly or fail to display when
users request websites that are blocked in the URL Filtering profile
(site access for the corresponding URL category is
block, continue,
or override) attached to the matching
Security policy rule. This occurs on an intermittent basis.
|
PAN-275905 (PAN-OS 11.1.6-h3
only) |
A high volume of incoming logs to a Collector Group can significantly
increase CPU usage on the Elasticsearch and Management Server,
potentially causing process instability or crashes.
|
PAN-275601
This issue is now resolved. See PAN-OS 11.1.10 Addressed Issues
|
When Panorama is not internet-connected and you try to upload images
to the managed firewalls by using the
Validate option, the upload fails with
the following error: Failed to create multi-upload
job. No valid software deploy targets found.
|
PAN-275047
|
(VM-Series firewalls only) After an upgrade, the firewall is
unable to send logs to the Strata Logging Service (SLS) when using a
specific proxy server, and the SSL connection status displays as
failed when attempting to forward logs through the web proxy.
|
PAN-274146
|
VM-Series firewalls deployed behind an AWS GWLB might crash and
reboot unexpectedly if tunnel sessions are moving through the
firewall.
|
PAN-272085 (This issue affects PAN-OS
11.1.6-h3.) |
When DoH is enabled for DNS Security, multiple DoH transactions in a
single HTTP/1 connection might unexpectedly cause the firewall to
crash and reboot.
Workaround: Manually disable DoH support for DNS Security
using the set deviceconfig setting dns-over-https enable
no CLI command. Alternatively, you can remove the
DNS Security configuration used to handle DoH traffic.
|
PAN-269193
This issue is now resolved. See PAN-OS 11.1.8 Addressed Issues.
|
When multiple application are configured for GlobalProtect Clientless
VPN, users are directed to the first application instead of portal
page with a list of application.
|
PAN-268705 This issue is now resolved. See
PAN-OS 11.1.6-h10 Addressed Issues. |
The firewall intermittently fails to process FTP traffic.
Workaround: Configure an application override policy rule for
FTP applications.
|
PAN-262556
|
The ElasticSearch cluster health status might continue to remain
yellow for an extended period after upgrading to PAN-OS 11.1
|
PAN-261429
This issue is now resolved. See PAN-OS 11.1.6-h10 Addressed Issues and PAN-OS 11.1.8 Addressed Issues.
|
The command show auth
radius-require-msg-authentic might return no output.
|
PAN-260851
|
From the NGFW or Panorama CLI, you can override the existing
application tag even if Disable Override is enabled for the
application (ObjectsApplications) tag.
|
PAN-254240
|
In the event of an HSCI flap on an NGFW cluster node, traffic
reconvergence takes three to four seconds.
|
PAN-253963
|
The auto commit job may take longer than expected to complete when
the Panorama management server is in Panorama or Log Collector
mode.
|
PAN-252358
|
(PA-7500 Series firewalls only) In the event of a corosync
restart, an NGFW cluster node goes to failed state.
|
PAN-251551
|
(PA-7500 Series firewalls only) When an NGFW cluster agent
crashes and doesn't recover, leader election will take approximately
45 seconds to begin and traffic failover will occur during that
time.
|
PAN-250903
|
(PA-7500 Series firewalls only) In a congestion scenario on
an HSCI port of an NGFW cluster node, the QoS priorities of cross
node traffic streams might be reversed if you're using the default
QoS profile with class1 to class8 set as high to low.
|
PAN-247974
|
(PA-7500 Series firewalls only) LACP flap is expected during
a device failover in an NGFW cluster due to an L2 ctrld restart on
the new leader node.
|
PAN-240529
This issue is now resolved. See PAN-OS 11.1.7 Addressed Issues
|
(PA-7500 Series firewalls only) Cloud application
information is missing from traffic logs on NGFW cluster nodes.
|
PAN-234015
|
The X-Forwarded-For (XFF) value is not displayed in traffic logs.
|
PAN-224502
|
The autocommit time of the VM-Series firewall running PAN-OS 11.1.0
might take longer than expected.
|
PAN-220180
|
Configured botnet reports (MonitorBotnet) are not generated.
|
PAN-207733
|
When a DHCPv6 client is configured on HA Active/Passive firewalls, if
the DHCPv6 server goes down, after the lease time expires, the
DHCPv6 client should enter SOLICIT state on both the Active and
Passive firewalls. Instead, the client is stuck in BOUND state with
an IPv6 address having lease time 0 on the Passive firewall.
|
PAN-207611
|
When a DHCPv6 client is configured on HA Active/Passive firewalls,
the Passive firewall sometimes crashes.
|
PAN-207442
|
For M-700 appliances in an active/passive high availability (PanoramaHigh Availability) configuration, the
active-primary HA peer
configuration sync to the
secondary-passive HA peer may fail.
When the config sync fails, the job Results is
Successful
(Tasks), however the sync status on the
Dashboard displays as Out
of Sync for both HA peers.
Workaround: Perform a local commit on the
active-primary HA peer and then
synchronize the HA configuration.
|
PAN-207040
|
If you disable Advanced Routing, remove logical routers, and
downgrade from PAN-OS 11.0.0 to a PAN-OS 10.2.x or 10.1.x release,
subsequent commits fail and SD-WAN devices on Panorama have no
Virtual Router name.
|
PAN-206913
|
When a DHCPv6 client is configured on HA Active/Passive firewalls,
releasing the IPv6 address from the client (using Release in the UI
or using the request dhcp client ipv6 release
all CLI command) releases the IPv6 address from
the Active firewall, but not the Passive firewall.
|
PAN-206909
|
The Dedicated Log Collector is unable to reconnect to the Panorama
management server if the configd
process crashes. This results in the Dedicated Log Collector losing
connectivity to Panorama despite the managed collector connection
Status (PanoramaManaged Collector) displaying connected
and the managed colletor Health status
displaying as healthy.
This results in the local Panorama config and system logs not being
forwarded to the Dedicated Log Collector. Firewall log forwarding to
the disconnected Dedicated Log Collector is not impacted.
Workaround: Restart the mgmtsrvr
process on the Dedicated Log Collector.
|
PAN-197588
|
The PAN-OS ACC (Application Command Center) does not display a widget
detailing statistics and data associated with vulnerability exploits
that have been detected using inline cloud analysis.
|
PAN-197419
|
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, the power over Ethernet (PoE) ports do not display a
Tag value.
|
PAN-196758
|
On the Panorama management server, pushing a configuration change to
firewalls leveraging SD-WAN erroneously show the auto-provisioned
BGP configurations for SD-WAN as being edited or deleted despite no
edits or deletions being made when you Preview
Changes (CommitPush to DevicesEdit Selections or CommitCommit and PushEdit Selections).
|
PAN-195968
|
(PA-1400 Series firewalls only) When using the CLI to
configure power over Ethernet (PoE) on a non-PoE port, the CLI
prints an error depending on whether an interface type was selected
on the non-PoE port or not. If an interface type, such as tap, Layer
2, or virtual wire, was selected before PoE was configured, the
error message will not include the interface name (eg. ethernet1/4).
If an interface type was not selected before PoE was configured, the
error message will include the interface name.
|
PAN-194978
|
(PA-1400 Series firewalls only) In NetworkInterfaceEthernet, hovering the mouse over a power over Ethernet (PoE)
Link State icon does not display link
speed and link duplex details.
|
PAN-187685
|
On the Panorama management server, the Template Status displays no
synchronization status (PanoramaManaged DevicesSummary) after a bootstrapped firewall is successfully added
to Panorama.
Workaround: After the bootstrapped firewall is successfully
added to Panorama, log in to the Panorama web
interface and select CommitPush to Devices.
|
PAN-187407
|
The configured Advanced Threat Prevention inline cloud analysis
action for a given model might not be honored under the following
condition: If the firewall is set to Hold client request
for category lookup and the action set to
Reset-Both and the URL cache has been
cleared, the first request for inline cloud analysis will be
bypassed.
|
PAN-186283
|
Templates appear out-of-sync on Panorama after successfully deploying
the CFT stack using the Panorama plugin for AWS.
Workaround: Use CommitPush to Devices to synchronize the templates.
|
PAN-184708
|
Scheduled report emails (MonitorPDF ReportsEmail Scheduler) are not emailed if:
Workaround: To receive a scheduled report email for all other
PDF report types:
|
PAN-184406
|
Using the CLI to add a RAID disk pair to an M-700 appliance causes
the dmdb process to crash.
Workaround: Contact customer support to stop the dmdb process
before adding a RAID disk pair to a M-700 appliance.
|
PAN-183404
|
Static IP addresses are not recognized when "and" operators are used
with IP CIDR range.
|
PAN-181933
|
If you use multiple log forwarding cards (LFCs) on the PA-7000
series, all of the cards may not receive all of the updates and the
mappings for the clients may become out of sync, which causes the
firewall to not correctly populate the Source User column in the
session logs.
|
PAN-164885
|
On the Panorama management server, pushes to managed firewalls (CommitPush to Devices or Commit and Push) may fail
when an EDL (ObjectsExternal Dynamic Lists) is configured to Check for
updates every 5 minutes due to the commit and EDL
fetch processes overlapping. This is more likely to occur when
multiple EDLs are configured to check for updates every 5
minutes.
|